Domain 1: Security and Risk Management : Answer Review Questions
Which type of crime occurs when a computer is used as a tool to help commit a crime? a. Computer-assisted crime b. Incidental computer crime c. Computer-targeted crime d. Computer prevalence crime
a. Computer-assisted crime A computer-assisted crime occurs when a computer is used as a tool to help commit a crime. An incidental computer crime occurs when a computer is involved in a computer crime without being the victim of the attack or the attacker. A computer-targeted crime occurs when a computer is the victim of an attack in which the sole purpose is to harm the computer and its owner. A computer prevalence crime occurs due to the fact that computers are so widely used in today's world.
Which specific plan focuses on restoring an organization's mission-essential functions (MEFs) at an alternate site and performing those functions for up to 30 days before returning to normal operations? a. Continuity of operations plan b. Business continuity plan c. Crisis communications plan d. Cyber incident response plan
a. Continuity of operations plan A continuity of operations plan (COOP) is a plan that focuses on restoring an organization's mission-essential functions (MEFs) at an alternate site and performing those functions for up to 30 days before returning to normal operations. A business continuity plan (BCP) is a plan that focuses on sustaining an organization's mission/business processes during and after a disruption A crisis communications plan is a plan that documents standard procedures for internal and external communications in the event of a disruption using a crisis communications plan. It also provides various formats for communications appropriate to the incident. A cyber incident response plan is a plan that establishes procedures to address cyber attacks against an organization's information system(s).
Which organization role determines the classification level of the information to protect the data for which he is responsible? a. Data owner b. Data custodian c. Security administrator d. Security analyst
a. Data owner The data owner determines the classification level of the information to protect the data for which he or she is responsible. The data custodian implements the information classification and controls after they are determined. The security administrator maintains security devices and software. The security analyst analyzes the security needs of the organizations and develops the internal information security governance documents.
What is the legal term used to describe an organization taking all reasonable measures to prevent security breaches and also taking steps to mitigate damages caused by successful breaches? a. Due care b. Due diligence c. Default security posture d. Qualitative risk analysis
a. Due care Due care is a legal term that is used when an organization took all reasonable measures to prevent security breaches and also took steps to mitigate damages caused by successful breaches. Due diligence is a legal term that is used when an organization investigated all vulnerabilities. The default security posture is the default security posture used by the organization. An allow-by-default security posture permits access to any data unless a need exists to restrict access. A deny-by-default security posture is much stricter because it denies any access that is not explicitly permitted. Qualitative risk analysis is a method of analyzing risk whereby intuition, experience, and best practice techniques are used to determine risk.
What is the first stage of the security program life cycle? a. Plan and Organize b. Implement c. Operate and Maintain d. Monitor and Evaluate
a. Plan and Organize The four stages of the security program life cycle, in order, are as follows: 1: Plan and Organize 2: Implement 3: Operate and Maintain 4: Monitor and Evaluate
Which of the following controls is an administrative control? a. Security policy b. CCTV c. Data backups d. Locks
a. Security policy A security policy is an administrative control. CCTV and locks are physical controls. Data backups are a technical control.
Which of the following is an information system-focused plan designed to restore operability of the target system, application, or computer facility infrastructure at an alternate site after an emergency? a. Occupant emergency plan b. Disaster recovery plan c. Information system contingency plan d. Critical infrastructure protection plan
b. Disaster recovery plan A disaster recovery plan (DRP) is an information system-focused plan designed to restore operability of the target system, application, or computer facility infrastructure at an alternate site after an emergency. An occupant emergency plan (OEP) is a plan that outlines first-response procedures for occupants of a facility in the event of a threat or incident to the health and safety of personnel, the environment, or property. An information system contingency plan (ISCP) provides established procedures for the assessment and recovery of a system following a system disruption. A critical infrastructure protection (CIP) plan is a set of policies and procedures that serve to protect and recover assets and mitigate risks and vulnerabilities.
What is the first step of the NIST SP 800-154 draft publication for data-centric system threat modeling? a. Identify and select the attack vectors to be included in the model. b. Identify and characterize the system and data of interest. c. Analyze the threat model. d. Characterize the security controls for mitigating the attack vectors.
b. Identify and characterize the system and data of interest. NIST SP 800-154 is a draft publication for data-centric system threat modeling. It includes the following steps: 1: Identify and characterize the system and data of interest. 2: Identify and select the attack vectors to be included in the model. 3: Characterize the security controls for mitigating the attack vectors. 4: Analyze the threat model. Most of the actions within the methodology can be addressed in a wide variety of ways in terms of both content (what information is captured) and format/structure (how that information is captured).
What is the first step of CRAMM? a. Identify threats and vulnerabilities b. Identify and value assets c. Identify countermeasures d. Prioritize countermeasures
b. Identify and value assets CRAMM review includes three steps: 1: Identify and value assets. 2: Identify threats and vulnerabilities and calculate risks. 3: Identify and prioritize countermeasures.
Which framework uses the six communication questions (What, Where, When, Why, Who, and How) that intersect with six layers (operational, component, physical, logical, conceptual, and contextual)? a. Six Sigma b. SABSA c. ITIL d. ISO/IEC 27000 series
b. SABSA SABSA uses the six communication questions (What, Where, When, Why, Who, and How) that intersect with six layers (operational, component, physical, logical, conceptual, and contextual). Six Sigma is a process improvement standard that includes two project methodologies that were inspired by Deming's Plan-Do-Check-Act cycle. ITIL is a process management development standard that has five core publications: ITIL Service Strategy, ITIL Service Design, ITIL Service Transition, ITIL Service Operation, and ITIL Continual Service Improvement. The ISO/IEC 27000 Series includes a list of standards, each of which addresses a particular aspect of information security management.
What is risk avoidance? a. Risk that is left over after safeguards have been implemented b. Terminating the activity that causes a risk or choosing an alternative that is not as risky c. Passing the risk on to a third party d. Defining the acceptable risk level the organization can tolerate and reducing the risk to that level
b. Terminating the activity that causes a risk or choosing an alternative that is not as risky Risk avoidance is terminating the activity that causes a risk or choosing an alternative that is not as risky. Residual risk is risk that is left over after safeguards have been implemented. Risk transfer is passing the risk on to a third party. Risk mitigation is defining the acceptable risk level the organization can tolerate and reducing the risk to that level.
Which of the following is a segment of the communication path that an attack uses to access a vulnerability? a. Breach b. Threat agent c. Attack vector d. Countermeasure
c. Attack vector An attack vector is a segment of the communication path that an attack uses to access a vulnerability. A breach is an attack that has been successful in reaching its goal. A threat is carried out by a threat agent. Not all threat agents will actually exploit an identified vulnerability. A countermeasure reduces the potential risk. Countermeasures are also referred to as safeguards or controls.
Which threat modeling perspective profiles malicious characteristics, skills, and motivation to exploit vulnerabilities? a. Application-centric b. Asset-centric c. Attacker-centric d. Hostile-centric
c. Attacker-centric Attacker-centric threat modeling profiles an attacker's characteristics, skills, and motivation to exploit vulnerabilities. Application-centric threat modeling uses application architecture diagrams to analyze threats. Asset-centric threat modeling uses attack trees, attack graphs, or displaying patterns to determine how an asset can be attacked. Hostile describes one of two threat actor categories: non-hostile and hostile.
Which management officer implements and manages all aspects of security, including risk analysis, security policies and procedures, training, and emerging technologies? a. CPO b. CFO c. CSO d. CIO
c. CSO The chief security officer (CSO) is the officer that leads any security effort and reports directly to the chief executive officer (CEO). The chief privacy officer (CPO) is the officer responsible for private information and usually reports directly to the chief information officer (CIO). The chief financial officer (CFO) is the officer responsible for all financial aspects of an organization. The CFO reports directly to the CEO and must also provide financial data for the shareholders and government entities. The CIO is the officer responsible for all information systems and technology used in the organization and reports directly to the CEO or CFO.
Which security principle is the opposite of disclosure? a. Integrity b. Availability c. Confidentiality d. Authorization
c. Confidentiality The opposite of disclosure is confidentiality. The opposite of corruption is integrity. The opposite of destruction is availability. The opposite of disapproval is authorization.
Which of the following is NOT a consideration for security professionals during mergers and acquisitions? a. New data types b. New technology types c. Cost of the merger or acquisition d. The other organization's security awareness training program
c. Cost of the merger or acquisition A security professional should not be concerned with the cost of a merger or an acquisition. A security professional should only be concerned with issues that affect security and leave financial issues to financial officers.
Which of the following is the process of taking away or removing characteristics from something in order to reduce it to a set of essential characteristics? a. Auditing b. Accounting c. Non-repudiation d. Abstraction
d. Abstraction Abstraction is the process of taking away or removing characteristics from something to reduce it to a set of essential characteristics. Auditing is the process of providing a manual or systematic measurable technical assessment of a system or application. Accounting is the process whereby auditing results are used to hold users and organizations accountable for their actions or inaction. Non-repudiation is the assurance that a user cannot deny an action.
Which type of access control type is an acceptable use policy (AUP) most likely considered? a. Corrective b. Detective c. Compensative d. Directive
d. Directive The most popular directive control is an acceptable use policy (AUP) that lists proper (and often examples of improper) procedures and behaviors that personnel must follow. Corrective controls are in place to reduce the effect of an attack or other undesirable event. Examples of corrective controls include installing fire extinguishers and implementing new firewall rules. Detective controls are in place to detect an attack while it is occurring to alert appropriate personnel. Examples of detective controls include motion detectors, IDSs, or guards. Compensative controls are in place to substitute for a primary access control and mainly act as a mitigation to risks. Examples of compensative controls include requiring two authorized signatures to release sensitive or confidential information and requiring two keys owned by different personnel to open a safety deposit box.
Which of the following do organizations have employees sign in order to protect trade secrets? a. Trademark b. Patent c. DRM d. NDA
d. NDA Most organizations that have trade secrets attempt to protect these secrets using nondisclosure agreements (NDAs). These NDAs must be signed by any entity that has access to information that is part of the trade secret. A trademark is an intellectual property type that ensures that the symbol, sound, or expression that identifies a product or an organization is protected from being used by another. A patent is an intellectual property type that covers an invention described in a patent application and is granted to an individual or company. Digital rights management (DRM) is used by hardware manufacturers, publishers, copyright holders, and individuals to control the use of digital content. This often also involves device
Which term indicates the monetary impact of each threat occurrence? a. ARO b. ALE c. EF d. SLE
d. SLE Single loss expectancy (SLE) indicates the monetary impact of each threat occurrence. Annualized rate of occurrence (ARO) is the estimate of how often a given threat might occur annually. Annual loss expectancy (ALE) is the expected risk factor of an annual threat event. Exposure factor (EF) is the percent value or functionality of an asset that will be lost when a threat event occurs.
Which of the following is a six-category threat classification model developed by Microsoft to assess the threats in an application? a. VAST b. Trike c. PASTA d. STRIDE
d. STRIDE Developed by Microsoft, STRIDE is a threat classification model that is used to assess the threats in an application. It covers the following six categories: - Spoofing of user identity - Tampering - Repudiation - Information disclosure (privacy breach or data leak) - Denial of service (DoS) - Elevation of privilege The Visual, Agile, and Simple Threat (VAST) Model was created as a result of the shortcomings in the other models and methodologies. VAST threat modeling scales across the infrastructure and entire development portfolio. Trike is both a methodology and a tool with its basis in a requirements model designed to ensure the level of risk assigned to each asset is classified as acceptable by stakeholders. The Process for Attack Simulation and Threat Analysis (PASTA) methodology provides a seven-step process for analyzing applications to align business objectives and technical requirements. It is intended to provide an attacker-centric view of the application and infrastructure from which defenders can develop an asset-centric mitigation strategy.
Which group of threat agents includes hardware and software failure, malicious code, and new technologies? a. Human b. Natural c. Environmental d. Technical
d. Technical Technical threat agents include hardware and software failure, malicious code, and new technologies. Human threat agents include both malicious and non-malicious insiders and outsiders, terrorists, spies, and terminated personnel. Natural threat agents include floods, fires, tornadoes, hurricanes, earthquakes, or other natural disasters or weather events. Environmental threat agents include power and other utility failure, traffic issues, biological warfare, and hazardous material issues (such as spillage).
Which of the following frameworks is a two-dimensional model that intersects communication interrogatives (What, Why, Where, and so on) with various viewpoints (Planner, Owner, Designer, and so on)? a. SABSA b. Zachman Framework c. TOGAF d. ITIL
b. Zachman Framework The Zachman Framework is a two-dimensional model that intersects communication interrogatives (What, Why, Where, and so on) with various viewpoints (Planner, Owner, Designer, and so on). It is designed to help optimize communication between the various viewpoints during the creation of the security architecture.
What is a vulnerability? a. The entity that carries out a threat b. The exposure of an organizational asset to losses c. An absence or a weakness of a countermeasure that is in place d. A control that reduces risk
c. An absence or a weakness of a countermeasure that is in place A vulnerability is an absence or a weakness of a countermeasure that is in place. A threat occurs when a vulnerability is identified or exploited. A threat agent is the entity that carries out a threat. Exposure occurs when an organizational asset is exposed to losses. A countermeasure or safeguard is a control that reduces risk.
Which security policies provide instruction on acceptable and unacceptable activities? a. Informative security policies b. Regulatory security policies c. System-specific security policies d. Advisory security policies
d. Advisory security policies Advisory security policies provide instruction on acceptable and unacceptable activities. Informative security policies provide information on certain topics and act as an educational tool. Regulatory security policies address specific industry regulations, including mandatory standards. System-specific security policies address security for a specific computer, network, technology, or application.
Which access control type reduces the effect of an attack or another undesirable event? a. Compensative control b. Preventive control c. Detective control d. Corrective control
d. Corrective control A corrective control reduces the effect of an attack or other undesirable event. A compensative control substitutes for a primary access control and mainly acts as mitigation to risks. A preventive control prevents an attack from occurring. A detective control detects an attack while it is occurring to alert appropriate personnel.
